Merge "Add test case for user quota management in IpSecService" am: baaa5670f5
am: 4288bb9e34
Change-Id: I1022151e9317194ac45501a59f68c9bba89e16df
This commit is contained in:
Di Lu
@@ -23,7 +23,11 @@ import static android.system.OsConstants.SOCK_DGRAM;
|
|||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertNotEquals;
|
import static org.junit.Assert.assertNotEquals;
|
||||||
import static org.junit.Assert.assertNotNull;
|
import static org.junit.Assert.assertNotNull;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
import static org.mockito.Matchers.anyInt;
|
||||||
|
import static org.mockito.Matchers.anyString;
|
||||||
|
import static org.mockito.Matchers.eq;
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
import static org.mockito.Mockito.when;
|
import static org.mockito.Mockito.when;
|
||||||
@@ -46,6 +50,8 @@ import java.net.InetAddress;
|
|||||||
import java.net.ServerSocket;
|
import java.net.ServerSocket;
|
||||||
import java.net.Socket;
|
import java.net.Socket;
|
||||||
import java.net.UnknownHostException;
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
@@ -57,6 +63,8 @@ import org.junit.runner.RunWith;
|
|||||||
public class IpSecServiceTest {
|
public class IpSecServiceTest {
|
||||||
|
|
||||||
private static final int DROID_SPI = 0xD1201D;
|
private static final int DROID_SPI = 0xD1201D;
|
||||||
|
private static final int MAX_NUM_ENCAP_SOCKETS = 100;
|
||||||
|
private static final int MAX_NUM_SPIS = 100;
|
||||||
private static final int TEST_UDP_ENCAP_INVALID_PORT = 100;
|
private static final int TEST_UDP_ENCAP_INVALID_PORT = 100;
|
||||||
private static final int TEST_UDP_ENCAP_PORT_OUT_RANGE = 100000;
|
private static final int TEST_UDP_ENCAP_PORT_OUT_RANGE = 100000;
|
||||||
|
|
||||||
@@ -260,4 +268,115 @@ public class IpSecServiceTest {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function checks if the number of encap UDP socket that one UID can reserve
|
||||||
|
* has a reasonable limit.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testSocketResourceTrackerLimitation() throws Exception {
|
||||||
|
List<IpSecUdpEncapResponse> openUdpEncapSockets = new ArrayList<IpSecUdpEncapResponse>();
|
||||||
|
// Reserve sockets until it fails.
|
||||||
|
for (int i = 0; i < MAX_NUM_ENCAP_SOCKETS; i++) {
|
||||||
|
IpSecUdpEncapResponse newUdpEncapSocket =
|
||||||
|
mIpSecService.openUdpEncapsulationSocket(0, new Binder());
|
||||||
|
assertNotNull(newUdpEncapSocket);
|
||||||
|
if (IpSecManager.Status.OK != newUdpEncapSocket.status) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
openUdpEncapSockets.add(newUdpEncapSocket);
|
||||||
|
}
|
||||||
|
// Assert that the total sockets quota has a reasonable limit.
|
||||||
|
assertTrue(
|
||||||
|
openUdpEncapSockets.size() > 0
|
||||||
|
&& openUdpEncapSockets.size() < MAX_NUM_ENCAP_SOCKETS);
|
||||||
|
|
||||||
|
// Try to reserve one more UDP encapsulation socket, and should fail.
|
||||||
|
IpSecUdpEncapResponse extraUdpEncapSocket =
|
||||||
|
mIpSecService.openUdpEncapsulationSocket(0, new Binder());
|
||||||
|
assertNotNull(extraUdpEncapSocket);
|
||||||
|
assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraUdpEncapSocket.status);
|
||||||
|
|
||||||
|
// Close one of the open UDP encapsulation scokets.
|
||||||
|
mIpSecService.closeUdpEncapsulationSocket(openUdpEncapSockets.get(0).resourceId);
|
||||||
|
openUdpEncapSockets.get(0).fileDescriptor.close();
|
||||||
|
openUdpEncapSockets.remove(0);
|
||||||
|
|
||||||
|
// Try to reserve one more UDP encapsulation socket, and should be successful.
|
||||||
|
extraUdpEncapSocket = mIpSecService.openUdpEncapsulationSocket(0, new Binder());
|
||||||
|
assertNotNull(extraUdpEncapSocket);
|
||||||
|
assertEquals(IpSecManager.Status.OK, extraUdpEncapSocket.status);
|
||||||
|
openUdpEncapSockets.add(extraUdpEncapSocket);
|
||||||
|
|
||||||
|
// Close open UDP sockets.
|
||||||
|
for (IpSecUdpEncapResponse openSocket : openUdpEncapSockets) {
|
||||||
|
mIpSecService.closeUdpEncapsulationSocket(openSocket.resourceId);
|
||||||
|
openSocket.fileDescriptor.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function checks if the number of SPI that one UID can reserve
|
||||||
|
* has a reasonable limit.
|
||||||
|
* This test does not test for both address families or duplicate SPIs because resource
|
||||||
|
* tracking code does not depend on them.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testSpiResourceTrackerLimitation() throws Exception {
|
||||||
|
List<IpSecSpiResponse> reservedSpis = new ArrayList<IpSecSpiResponse>();
|
||||||
|
// Return the same SPI for all SPI allocation since IpSecService only
|
||||||
|
// tracks the resource ID.
|
||||||
|
when(mMockNetd.ipSecAllocateSpi(
|
||||||
|
anyInt(),
|
||||||
|
eq(IpSecTransform.DIRECTION_OUT),
|
||||||
|
anyString(),
|
||||||
|
eq(InetAddress.getLoopbackAddress().getHostAddress()),
|
||||||
|
anyInt()))
|
||||||
|
.thenReturn(DROID_SPI);
|
||||||
|
// Reserve spis until it fails.
|
||||||
|
for (int i = 0; i < MAX_NUM_SPIS; i++) {
|
||||||
|
IpSecSpiResponse newSpi =
|
||||||
|
mIpSecService.reserveSecurityParameterIndex(
|
||||||
|
0x1,
|
||||||
|
InetAddress.getLoopbackAddress().getHostAddress(),
|
||||||
|
DROID_SPI + i,
|
||||||
|
new Binder());
|
||||||
|
assertNotNull(newSpi);
|
||||||
|
if (IpSecManager.Status.OK != newSpi.status) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
reservedSpis.add(newSpi);
|
||||||
|
}
|
||||||
|
// Assert that the SPI quota has a reasonable limit.
|
||||||
|
assertTrue(reservedSpis.size() > 0 && reservedSpis.size() < MAX_NUM_SPIS);
|
||||||
|
|
||||||
|
// Try to reserve one more SPI, and should fail.
|
||||||
|
IpSecSpiResponse extraSpi =
|
||||||
|
mIpSecService.reserveSecurityParameterIndex(
|
||||||
|
0x1,
|
||||||
|
InetAddress.getLoopbackAddress().getHostAddress(),
|
||||||
|
DROID_SPI + MAX_NUM_SPIS,
|
||||||
|
new Binder());
|
||||||
|
assertNotNull(extraSpi);
|
||||||
|
assertEquals(IpSecManager.Status.RESOURCE_UNAVAILABLE, extraSpi.status);
|
||||||
|
|
||||||
|
// Release one reserved spi.
|
||||||
|
mIpSecService.releaseSecurityParameterIndex(reservedSpis.get(0).resourceId);
|
||||||
|
reservedSpis.remove(0);
|
||||||
|
|
||||||
|
// Should successfully reserve one more spi.
|
||||||
|
extraSpi =
|
||||||
|
mIpSecService.reserveSecurityParameterIndex(
|
||||||
|
0x1,
|
||||||
|
InetAddress.getLoopbackAddress().getHostAddress(),
|
||||||
|
DROID_SPI + MAX_NUM_SPIS,
|
||||||
|
new Binder());
|
||||||
|
assertNotNull(extraSpi);
|
||||||
|
assertEquals(IpSecManager.Status.OK, extraSpi.status);
|
||||||
|
|
||||||
|
// Release reserved SPIs.
|
||||||
|
for (IpSecSpiResponse spiResp : reservedSpis) {
|
||||||
|
mIpSecService.releaseSecurityParameterIndex(spiResp.resourceId);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user